Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/support_form.php?lang=enu

2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.

I've been using Synology products for a while and I'm struggling to solve this problem. My work has implemented further firewall restrictions so I only have access to ports 80 + 443.

This means at the office, Notestation, drive (formally Cloud Station) do not work which I regularly use as work have a BYOD policy. I can live without DSM and SRM remote access. I host a webpage and private blog on my Synology NAS (over 80 + 443 via port forwarding).

What I would like to do is be able to access Synology VPN via the router over port 443 (via sub domain) and tunnel into the home LAN for notestation and drive access, and also keep port 80 and 443 traffic to the NAS for web services. I'm struggling to achieve this and was after some advice.

I have my own domain and SSL certificate on the router and nas. The VPN has is own subdomain so I have tried DNS redirect i.e. vpn.domain.com to the router and www.domain.com to the NAS which doesn't work. I've tried disabling port forwarding and just enabling all traffic through the firewall and I find on 443 its either NAS or router (i.e. VPN) access not both whether I use sub domain or the FQDN. I've reached the limit of my knowledge so I'm open to ideas.

Two different kinds of services using the same port number is not possible.Maybe scanning ports to found out more open ports of your work could help you for alternative port numbers:http://www.advanced-port-scanner.com/

I have played around with reverse proxy, I can go in on port 80 and reverse proxy to SRM, DSM. I'm using the inbuilt DSM application portal reverse proxy settings. My thinking was since I want to VPN on 443 and have HTTPS working together, that the DNS server on the router would redirect the VPN subdomain to the router (as its running the VPN) and then the DNS would direct all other http://www.domain.com traffic to the NAS. That's how the DNS is currently configured but its not working.

Saying that, would it make sense to run the VPN server on the NAS instead of the router then....

Synology Reverse proxy is a great feature and indeed allows to listen and respond on one port and flow stream to another host/port or proxypass to another application. But it's not regardless application protocol.... It's all http/https driven....So unless you encapsulate (tunnel) your application protocol inside a http[s] stream, Synology reverse proxy won't help....

I might be wrong, but I don't think that, out of the box, DSM provides VPN encapsulated over HTTP[s] (like SSTP for instance). An alternative option, still not available OOB, is to use the port sharing mode of Openvpn server. When OpenVPN senses a connection which is using a non-OpenVPN protocol, it will proxy the connection to host and port defined in "--port-share" option.

I haven't tried this.... But it might be easier to implement than it sounds.... We would need to hack web station configuration so it stops listening on port 80 (or 443) and starts listening on another port, let's say 1080. Openvpn server would be configured to listen on port 80 (or 443) and redirect non openvpn traffic to 127.0.0.1:1080...Tricky part might be to keep configuration be lost when packages restarted or disk station rebooted.

Synology Reverse proxy is a great feature and indeed allows to listen and respond on one port and flow stream to another host/port or proxypass to another application. But it's not regardless application protocol.... It's all http/https driven....So unless you encapsulate (tunnel) your application protocol inside a http[s] stream, Synology reverse proxy won't help....

I might be wrong, but I don't think that, out of the box, DSM provides VPN encapsulated over HTTP[s] (like SSTP for instance). An alternative option, still not available OOB, is to use the port sharing mode of Openvpn server. When OpenVPN senses a connection which is using a non-OpenVPN protocol, it will proxy the connection to host and port defined in "--port-share" option.

I haven't tried this.... But it might be easier to implement than it sounds.... We would need to hack web station configuration so it stops listening on port 80 (or 443) and starts listening on another port, let's say 1080. Openvpn server would be configured to listen on port 80 (or 443) and redirect non openvpn traffic to 127.0.0.1:1080...Tricky part might be to keep configuration be lost when packages restarted or disk station rebooted.

This idea might also work. But if the vpn server is running on the nas it may be easy to resolve the problem.Changing the ports of the web station and the vpn server to a non standard ports (let's say from port 443 to 8443) will leave standard ports 80 and 443 free for the reverse proxy. Than the proxy will pass the incoming trafic to the apropriate application (web station or vpn server) based on the dns name.